[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[libreplanet-discuss] Can you confirm these are not best practices for d
|
From: |
Zak Rogoff |
|
Subject: |
[libreplanet-discuss] Can you confirm these are not best practices for disclosure? |
|
Date: |
Mon, 30 Jan 2017 17:16:28 -0500 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Icedove/38.7.0 |
Hi LP-discuss,
The W3C, which sets Web standards, just released this
https://www.w3.org/2017/01/GVDP-factsheet.html
in an attempt to pacify all of us who are complaining that their plan to
make DRM part of Web standards would be bad for security researchers.
It's a draft of "best practices" for companies to follow when security
researchers disclose vulns to them.
Is anyone who's knowledgeable about disclosure policies able to take a
look at it and share your thoughts?
To me, it looks like it's not much of a protection for the researchers,
because it's totally voluntary and apparently allows companies to ignore
it if they make such arbitrary judgements as that the security
researcher didn't give them a "reasonable amount of time" between
private and public disclosure.
I think we can take Netflix's policy (linked) to be pretty
representative of the policies these guidelines will produce.
PS -- the LibrePlanet 2017 t-shirt will be launching soon :)
--
Zak Rogoff // Campaigns Manager
Free Software Foundation
0xB5090AC8.asc
Description: application/pgp-keys
signature.asc
Description: OpenPGP digital signature
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [libreplanet-discuss] Can you confirm these are not best practices for disclosure?,
Zak Rogoff <=